EP0695056A2 - Procédé de portage d'une information secrête, de génération d'une signature numérique et de réalisation d'une certification dans un système de communication ayant une pluralité de dispositifs de traitement d'information et système de communication utilisant un tel procédé - Google Patents
Procédé de portage d'une information secrête, de génération d'une signature numérique et de réalisation d'une certification dans un système de communication ayant une pluralité de dispositifs de traitement d'information et système de communication utilisant un tel procédé Download PDFInfo
- Publication number
- EP0695056A2 EP0695056A2 EP95305211A EP95305211A EP0695056A2 EP 0695056 A2 EP0695056 A2 EP 0695056A2 EP 95305211 A EP95305211 A EP 95305211A EP 95305211 A EP95305211 A EP 95305211A EP 0695056 A2 EP0695056 A2 EP 0695056A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- secret
- information
- apparatuses
- authentication
- sharing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 268
- 238000004891 communication Methods 0.000 title claims abstract description 178
- 230000010365 information processing Effects 0.000 title claims abstract description 55
- 239000011159 matrix material Substances 0.000 claims abstract description 55
- 238000012545 processing Methods 0.000 claims description 154
- 239000013598 vector Substances 0.000 claims description 50
- 238000012795 verification Methods 0.000 claims description 14
- 238000003672 processing method Methods 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 abstract description 33
- 239000000284 extract Substances 0.000 abstract 1
- 230000006870 function Effects 0.000 description 70
- 238000010586 diagram Methods 0.000 description 40
- 238000012805 post-processing Methods 0.000 description 10
- 238000013478 data encryption standard Methods 0.000 description 8
- 238000007796 conventional method Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 101100260051 Caenorhabditis elegans cct-1 gene Proteins 0.000 description 4
- 238000012937 correction Methods 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 150000001875 compounds Chemical class 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- CNQCVBJFEGMYDW-UHFFFAOYSA-N lawrencium atom Chemical compound [Lr] CNQCVBJFEGMYDW-UHFFFAOYSA-N 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
- H04L2209/601—Broadcast encryption
Definitions
- the present invention relates to a method whereby secret information, which is carried in one of the information processing apparatuses (hereafter referred to as a "subscriber") that are joined together by communication paths in a communication system, can be shared among the subscribers, and to a communication system that employs such a method. Further, the present invention relates to a method for sharing or generating a digital signature for a group that is composed of several of a plurality of subscribers, and to a communication system that employs such a method.
- the present invention pertains to a method for sharing, with a plurality of subscribers, a certification function by which a receiver of information can verify that the information has been transmitted from a correct transmitter (has not been altered by another apparatus along the way), and to a communication system that employs such a method.
- a conventional a coding technique that generates increased redundancy data is one of the known techniques that improve the reliability of information communication systems.
- Error correction codes in particular, by which errors that have occurred along a communication path can either be detected or corrected, are frequently employed to efficiently implement highly reliable communication systems.
- A. Shamir proved that a coding technique that increases redundancy by sharing confidential information is effective as a means, in a communication system, for improving reliability while at the same time providing protection for secret information (see “How to Share a Secret", communications of the ACM, Vol. 22, 11, 1979).
- the protection of shared secret information does not have to rely on only the physical security that is provided at a single specific subscriber, and it is possible to increase reliability (fault tolerance can be achieved) such as is described by the following two definitions.
- the sharing and the holding of certain secret information x by all the subscribers means that individual subscribers i generate information segments, which together correspond to the secret information x, and distribute the generated information segments to the other subscribers in order to satisfy the following requirements (a) and (b).
- M. Ben-Or, S. Goldwasser, and A. Wigderson described a conventional error correction coding technique that can satisfactorily provide, for a communication that has a secret communication channel, a verifiable secret sharing system (when threshold value t satisfies t ⁇ n/3) that can cope with subscribers that have any errors as long as the number of such subscribers is smaller than one third of the total subscribers (see Completeness.Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation", ACM STOC 1988).
- the non-dialogue cryptological method (2) calculation for the one-way function of a special order must be performed n times for the n secret portions. Especially when the secret sharing process is employed as a partial process for safely executing a sharing calculation, the number of secret sharing processes that must be performed is increased (e,g., is on the order of n for sharing multiplication). The total number of calculations will be inpractically huge.
- the dialoque method (1) requires a great amount of communication, while the cryptological method (2) requires a huge number of calculations.
- the cryptological technique is effective for implementing not only the function for keeping information secret, but also a function for verifying received information and a function, called a "digital signature", for verifying for a third person that the received information has been transmitted from a designated apparatus.
- RSA cryptosystem is one of public-key cryptosystems (for an example, see "A Method For Obtaining Digital Signatures and Public-Key Cryptosystems", R. Rivest, A. Shamir, and L. Adleman, Communications of the ACM, 21, 2, 1978, pp. 120-125, or see USP 4,405,828).
- the fundamental portion of this sharing digital signature method is to share secret information in a communication system that consists of the above described plurality of subscribers so as to satisfy the previously mentioned requirements (a) and (b).
- the sharing-type digital signature method proposed by Y. Desmedt and Y. Frankel, that employs the RSA cryptosystem based on the secret sharing method satisfies the following requirements (I) and (II).
- the enormous amount of communications is required for the sharing digital signature system that is based on the dialogue type verifiable secret sharing method (1) by employing the conventional technique, while the enormous amount of calculations is required for the sharing digital signature system that is based on the non-dialogue verifiable secret sharing method (2) by employing the conventional technique.
- a person who requests a certification is called a testifier
- a person who provides a testifier an authentication is called an authenticator.
- an authentication server manages secret information for all the apparatuses that constitute a communication system
- an included authentication server that for physical reasons is fully reliable is also required (likewise, for the public-key cryptological method, a concentration control center that manages all public keys is required). Therefore, to ensure security, an authentication server must be strictly controlled by locating it in a locked room that no one is allowed to enter without permission.
- the authentication server can not be relied on because of the occurrence of a failure or the commission of an unauthorized act, fault tolerance is so reduced that the security of the complete system breaks down.
- the present invention is so positioned that it lies in the middle between the dialogue type system (1) and the non-dialogue type system (2), employs a verifiable secret sharing method by which both the amount of computation and the amount of communication required constitute a practical order of magnitude, and proposes a shared digital signature system (a system that may not generate a signature when the number of subscribers that perform unauthorized acts is equal to or greater than a threshold value, but can identify such subscribers), which is positioned between the requirement (I) (a system that may not generate a signature when there is a subscriber who performs an unauthorized act) and the requirement (I') (a system that can generate a signature even when the number of subscribers who perform unauthorized acts is equal to or lower than a specific threshold value).
- a shared digital signature system a system that may not generate a signature when the number of subscribers that perform unauthorized acts is equal to or greater than a threshold value, but can identify such subscribers
- the present invention that achieves these objectives relates to an authentication method for a communication system, wherein a plurality of apparatuses are connected and wherein apparatuses among those that belong to a specific group commonly provide authentication, the authentication method comprising the steps of: transmitting an authentication request message, which includes identifiers for a testifier and for an authenticator, from an apparatus of the testifier, who transmits a request for authentication from an apparatus of the authenticator, to each of the apparatuses of the specific group; generating an authentication element, which is encrypted with a secret key that is related to the authenticator, that is based on the authentication request message by employing a cooperative effort involving all of the apparatuses that belong to the specific group, and generating an authentication message by encrypting the authentication element with a secret key that is related to the testifier; transmitting the authentication message from each of the apparatuses of the specific group to the apparatus of the testifier; decrypting the authentication message at the apparatus of the testifier upon receipt of the authentication message, and transmitting the de
- Fig. 3 is a diagram showing the relationship between secret s and partial matrix S.
- R. Merkel has proposed a one-way hash function that uses block cryptology, such as DES (Data Encryption Standard) (see “One-Way Hash Functions And DES,” Advances in Cryptology - Crypto '89, Lecture Notes In Computer Science, Vol. 435, Springer-Verlag, 1990).
- block cryptology such as DES (Data Encryption Standard)
- h denotes the one-way hash function that is efficient (includes a high-speed calculation method).
- the hash function (see aforementioned "Modern Cryptological Theory") that is formed by a high-speed block encryption function is employed, for example.
- the probability that verification of the secret sharing processing will fail is 2 ⁇ (-k'(t+1)) according to Cut and Choose processing (see the aforementioned "Verifiable Secret Sharing And Multiparty Protocols With Honest Majority," T. Rabin and M. Ben-Or).
- Each subscriber i (i - 1, . . ., n) employs the random number generation unit 23 to broadcast k' bits (information B2.i) that are randomly selected (processing R2.i).
- the randomly selected k' bits are each called Bi_1, . . ., Bi_k', and the bits to the total n subscribers are each called B1, . . ., Bk.
- s'_c(n) are acquired for the respective rows and columns by interpolation of polynomials. Further, the results s'(r) and s'(c) are acquired by the interpolation of polynomials for the above values. The subscriber i verifies whether or not the two of these results are equal and all the elements of these column vectors are correct values for the polynomial that corresponds to the values s'_c(1), . . ., s'_c(n) and s'_r(1), . . ., s'_r(n).
- the number of sets that correspond to different correct partial matrixes is t+1 at the maximum, and the partial matrixes are called S_1, . . ., S_T (wherein T ⁇ t+1).
- T 1
- a non-corresponding column vector represents a subscriber that performed an unauthorized act.
- an amount of communication on the order of n ⁇ 2k (wherein n is the number of subscribers and k is a safety parameter) is required, while an amount of communication on the order of n ⁇ 3k ⁇ 2 is required for the conventional dialogue type method (1) described above.
- only a one time calculation of the one-way hash function is required in this embodiment, while calculations on the order of n of a specific one-way function is required for the conventional non-dialogue type method (2).
- the verifiable secret sharing process and the secret decryption process, as in Embodiment 1, are employed as partial processing for a conventional safe shared computation method (see, for example, "Secure Multiparty Protocols And Zero-Knowledge Proof Systems Tolerating A Faulty Minority", D. Beaver, Journal Of Cryptology, 1991, or "A Note On Multiparty Protocols To Compute Multiplicative Inverses", M. Cerecedo, T. Matsumoto, and H. Imai, SCIS '94, Biwako, Japan, January 1994), so that a more efficient shared operation processing system can be provided.
- the elements of the column vectors X_c(i) and Y_c(i) and the elements of secret values x_r(i) and y_r(i) (see Embodiment 1) of the partial matrix that each subscriber holds are added. It is apparent from the definition of a partial matrix (the elements of the rows and columns are values of a polynomial) that the addition results X_c(i)+Y_c(i) and x_r(i)+y_r(i) are a column vector and a secret value for a partial matrix relative to x+y.
- the one-way hash function values x* and y* which are employed to verify an information segment in the secret decryption process, are stored. These values are used as needed when the decryption process is performed on the addition result x+y, and thus partial matrix X+Y that corresponds to the secret x+y is verified.
- the present invention is not limited to the number of dimensions of the partial matrix described in the above embodiment, and may be a multiple dimensional partial array. Further, a function employed may be a function, other than a one-way hash function, that ensures the acquisition of the one way characteristic. As for the Cut and Choose technique, it is not limited to the procedures specifically explained in Embodiment 1, but may involve the use of any method for verifying propriety without leaking the secret.
- the amount of communication and calculation can be smaller than those required for the conventional case, for a process, such as a safe sharing operation process, which requires repetitive performance of a secret sharing process, the traffic within a communication system can be reduced, and the communication costs can be decreased because of the small amount of communication, while the processing is performed at high speed because of the small amount of calculation.
- a method for digital signature shared generation performed by a plurality of subscribers that belong to a group of signers will be described by employing the above described secret sharing method.
- the information processing apparatus 11 that subscribers in the system use, the broadcast communication channel 12, and the secret communication channels 13 are the same as those in Fig. 1.
- subscribers A, B, and C consist of a group of signers.
- the block structure of the information processing apparatus 11 is as shown in Fig. 2.
- the results acquired by multiplying a by each element of the partial matrix that the subscriber holds are elements of the partial matrix relative to x*a.
- a digital signature of given message m is generated by the group while being shared as follows.
- Each subscriber i selects secret element r(i) at random from ⁇ 1, . . ., p-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates g ⁇ (r(i)) mod q (wherein q is a prime number selected in the above described manner), and broadcasts it across the broadcast communication channel.
- Each subscriber employs, as an input, a value R
- m obtained by combining a given message m and value R that is acquired in Round 6, and calculates output e h(R
- m) of the predetermined function h described above. Then, s r+h(R
- the shared secret s is decrypted by the secret decryption processing for the secret sharing method.
- a signature for the given message is defined as (R, s).
- the generated signature is verified by using the public key a and by performing the signature verification processing for the digital signature method.
- the secret decryption process of the secret sharing method is performed to identify such a subscriber.
- the elements q_r(i,1), . . ., q_r(i,t) are selected from ⁇ 1, . ., N-1 ⁇ so as to satisfy the following requirements.
- the elements q_c(j,1), . . ., q_c(j,t) are selected from ⁇ 1, . . ., N-1 ⁇ so as to satisfy the following requirements.
- both vectors [s_r(1), . . ., s_r(n)] and (s_c(1), . . ., s_c(n)] that have the above values satisfy the following requirements for q_r(1), . . ., q_r(t), q_c(1), . . ., q_c(t), which are from among ⁇ 1, . .
- the secret sharing process for distributing a secret portion so that the secret element s can be shared and held by all the subscribers who belong to a group of signers, and the secret decryption process for decrypting the thus shared secret or for identifying a subscriber who performs an authorized act (if such an act occurs) are performed in the same manner as the processes (1) and (2) in Embodiment 1 are performed.
- processing can be provided where the secret element that a certain subscriber in the group of signers holds can be shared and held by all the subscribers in the group.
- an explanation will be given of processing, of a shared digital signature system, for employing this secret sharing method to generate secret information for a group of signers (which is equivalent to a secret key and which is shared by all the subscribers of the group) and public information for the secret information (which is equivalent to a public key and which is employed for verifying a signature that is generated by the group).
- Key generation processing see Figs. 13A and 13B.
- Each subscriber i selects secret element a(i) at random from ⁇ 1, . . ., N-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates a(i) ⁇ l mod N (wherein l is an element selected in the above described manner), and broadcasts it across the broadcast communication channel.
- a secret key that is obtained through the aboye processing is employed by the group to generate a shared digital signature for a given message m as follows.
- Each subscriber i selects secret element r(i) at random from ⁇ 1, . . ., N-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates r(i) ⁇ 1 mod N (wherein 1 is an element selected in the above described manner), and broadcasts it across the broadcast communication channel.
- Each subscriber employs, as an input, a value R
- m that is obtained by combining a given message m and value R that are acquired in Round 6, and calculates output e h(R
- m) of the predetermined function h described above. Then, s r*a ⁇ (h(R
- the shared secret s is decrypted by the secret decryption processing for the secret sharing method.
- a signature for the given message is defined as (R, s).
- the generated signature is verified by using the public key a and by performing the signature verification processing for the digital signature method.
- the secret decryption process of the secret sharing method is performed to identify such a subscriber.
- Embodiment 1 The method as stated in Embodiment 1 is used as a specific method for sharing a secret element that is selected by a certain subscriber in a group of signers and for holding it by all the subscribers of the group.
- An explanation will now be given of a process, of a shared digital signature system, for employing the secret sharing method to generate secret information (which is the equivalent of a secret key that is shared by all the subscribers of a group of signers) of the group and public information for the secret information (public information that is equivalent to a public key and that is employed for verifying a generated signature).
- Each subscriber i selects secret element a(i) at random from ⁇ 1, . . ., p-1 ⁇ , and the selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates g ⁇ (a(i)) mod q (wherein q is a prime number that is selected in the above described manner), and broadcasts it across the broadcast communication channel.
- h denotes an efficient one-way hash function as in Embodiment 1.
- Subscriber d employs the random number generation unit 23 to generate secret element s and partial matrixes for secret elements 11, . . . , 1k that are randomly selected from ⁇ 1, . . ., p-1 ⁇ .
- One-way hash function values s* for secret values s_r(1), . . . , s_r(n), l1_r(1), . . ., l1_r(n), . . ., lk_r(1), . . . , lk_r(n) are calculated (see Fig. 4).
- the hash values s* (Bl.d in Fig. 17) are broadcast across the broadcast communication channel to all the subscribers (represented as processing R1.d in Fig. 17).
- the random number 23 is employed to generate a partial matrix (which is called T(i), Ml(i), . .
- the hash function values s* for secret values t(i)_r(l), . . ., t(i)_r(n), ml(i)_r(l), . . ., ml(i)_r(n), . . ., mk(i)_r(l), . . ., mk(i)_r(n) are calculated (see Fig. 4).
- Each subscriber i transmits the column vectors T_c(j), M1_c(j), . .
- the randomly selected k' bits are each called Bi_1, . . ., Bi_k', and the bits to the total n subscribers are each called B1, . . ., Bk.
- the information that the subscriber i has broadcasted is represented as B3.i in Fig. 17.
- a decision message is broadcast by the subscriber d (processing R5.i in Fig. 17).
- the information that is broadcast by the subscriber i is represented as B5.i in Figs. 17 and 18.
- each subscriber i broadcasts the partial matrix Mj(i) that is generated by the subscriber i in Round 2. If Bj is 0, the subscriber d broadcasts the result (written as T(i) + Mj(i)), which is obtained by adding each element of the generated partial matrixes T(i) and Mj(i) in the finite set (mod p) (processing R6.i in Fig 18). Further, the subscriber d broadcasts the column vectors from the subscriber i that are determined in Round 5. The information that is broadcast by the subscriber d is represented as B6.i in Fig. 18.
- Bo is 1, lj_r(o) is decrypted, a column vector below is calculated, and it is verified that the result obtained by calculating the column vector is identical and corresponds to value 0: (lj_r(o)) ⁇ (-1)*Mj(o)_r(i) - X(o)_r(i).
- the secret element s that a specific subscriber i has selected at random from ⁇ 1, . . ., p-1 ⁇ is verifiably shared, and at the same time, product s*x of the secret s and the previous, verifiably shared secret x is calculated.
- the calculation process for obtaining a product of two shared secrets x and y by performing the above processing will be described. This process is shown in Fig. 19.
- product x*y of the two shared secret elements x and y can be shared and calculated by the subscribers that join the group.
- a digital signature for a given message m is shared and generated by the group as follows. Signature generation processing (see Fig. 20)
- Each subscriber i selects secret element r(i) at random from ⁇ 1, . . ., p-1 ⁇ , and this selection is shared with all the subscribers of the group of signers by performing the above described secret sharing process. Further, each subscriber i calculates g ⁇ (r(i)) mod q (wherein q is a prime number selected in the above described manner), and broadcasts it across the broadcast communication channel.
- the shared secret s is decrypted by the secret decryption processing of the secret sharing method.
- a signature for the given message is defined as (R, s).
- the generated signature is verified by using the public key a and by performing the signature verification processing for the digital signature method.
- the secret decryption process of the secret sharing method is performed to identify such a subscriber.
- the present invention is not limited to the number of dimensions for a partial matrix as is described in the above embodiments 3 to 5, and may be a multiple dimensional partial array.
- a function employed may be a function, other than a one-way hash function, that ensures the acquisition of the one way characteristic.
- Cut and Choose technique it is not limited to the procedures specifically explained in Embodiment 1, but may be any method for verifying the propriety without leaking the secret.
- a shared digital signature method can be provided by which, when the number of correct signers of a group, which consists of a plurality of computers (signers) that are connected via a communication system, are greater than a threshold value t, a signature can be generated by the group, and when a signer performs an unauthorized act, such signer can be identified.
- the method in this embodiment needs only an efficient amount of communication and calculation.
- the method of the present invention is safer because by this method an offending signer can be identified.
- the amount of calculation that is required for each signer who joins a group of signers is assumed to be substantially the same as that required for the latter conventional digital signature method.
- the amount of communication required for each signer is 1*n ⁇ 2*k order (wherein n denotes the number of subscribers, k denotes a safety parameter, and 1 denotes the length of an integer employed), and is more practical than that required for the former conventional digital signature method.
- the required amount of communication and calculation can be reduced by employing a signature generation method of this embodiment.
- the traffic in a communication system and communication costs can be reduced, and because of a small amount of calculation, high speed processing can be performed.
- Fig. 21 is a diagram illustrating a communication system, according to one embodiment of the present invention, that has information processing apparatuses that share and perform authentication.
- Apparatuses 14 are apparatuses AS(1) . . ., AS (k) (hereafter called as "members") that are shared authentication servers.
- the number of the members in this case is defined as a comparatively small number, 20 or less, for efficiency.
- the number of the total apparatuses that constitute the communication system may be considerably greater than the number of members, and are connected to the members across the secret communication channels 13. Communication between the apparatuses is performed across a normal (nonreliable) communication channel 16.
- a request for service e.g., a file transfer, a remote procedure call, etc.
- the apparatus that makes a request is called a "client”
- the apparatus that receives the request and provides the service is called a "server”.
- apparatuses 15 are apparatuses C/S(1), . . ., C/S(n) that serve as such a client and a server.
- a member can be a client or a server.
- the client and the server are employed for mutual authentication and the authentication of the communication contents. Further, the client and the server share a secret key for performing secret communication.
- the authentication server in this embodiment is more reliable than a conventional authentication server.
- VSS Very Secret Sharing
- the elements of the column vectors X_c(i) and Y_c(i) and the elements of secret values x_r(i) and y_r(i) of the partial matrix that each subscriber holds are added. It is apparent from the definition of a partial matrix (the elements of the rows and columns are values of a polynomial) that the addition results X_c(i)+Y_c(i) and x_r(i)+y_r(i) are a column vector and a secret value for a partial matrix relative to x+y.
- the one-way hash function values x* and y* which are employed to verify an information segment in the secret decryption process, are stored. These values are used as needed when the decryption process is performed on the addition result x+y, and the thus partial matrix X+Y that corresponds to the secret x+y is verified.
- a secret can be shared among the members by using a verifiable method.
- the protocol is realized as is shown in Figs. 23A and 23B.
- Each member AS(i) generates pseudo-random secret ri that is represented as an element in a finite set (processing 81).
- the pseudo-random secret r is a number that anybody can not know unless the majority of the members plot together.
- the shared pseudo-random secret is generated in the above described manner, and the generated pseudo-random secret can be employed as a conversation key for a testifier and an authenticator.
- Fig. 24A is a diagram for explaining this protocol.
- the VSS protocol is executed in finite set GF(2 L ).
- Secret portions m1(i), . ., mN(i) are assumed to be secretly shared among the members AS(i).
- secret key pk that has the same length as the message m is also divided into N blocks, pk1, . . ., pkN that each have the length L.
- These blocks are secretly shared among the above members, so that the members AS(i) have the individual secret portions pk(i),. . ., pkN(i).
- c1(i), . . . cN(i) correspond to the secret portions of c1, . . ., cN that are obtained by dividing encrypted statement c into N blocks each length L. Therefore, the encrypted statement c is decrypted by performing the previously mentioned secret decryption process, and becomes public.
- the apparatuses of the communication system that have secret keys pk can decrypt the original message m from the public encrypted statement c. It should be noted that the secret key pk is used only once and never used again.
- the secret key pk might be known to the third person by subtracting a message m from the encrypted statement c that has become public. Therefore, the protocol as is shown in Fig. 24B is employed for the public data.
- the message m is formed of N blocks m1, . . ., mN that each have length L.
- the contents of the message m are public data that are known to members.
- the secret key pk is twice as long as the message m, and is divided into 2N blocks pk1_1, pk1_2, . . ., pkN_1, pkN_2 of the length L.
- the pk is secretly shared among the members, and the members AS(i) individually hold the secret portions pk1_1(i), pk1_2(i), . . . pkN_1(i), pkN_2(i).
- each member AS(i) performs the following arithmetic operation in a given finite set for each block.
- * denotes multiplication and + denotes addition:
- cl(i), . . ., cN(i) corresponds to the secret portions of c1, . . ., cN, which are obtained by dividing the encrypted statement c into N blocks for each length L. Therefore, the encrypted statement c is decrypted by performing the previously described secret decryption processing, and becomes public.
- the apparatuses of the communication system that use the secret key in common disassemble the secret key pk and the encrypted statement c for each length L, and performs arithmetic operation of pkj_1, pkj_2 and cj(cj-pkj_2)/pkj_1 to obtain mj.
- the secret key pk is used only once and never used again also in this case.
- the authentication with a common key is realized using the above protocols by a shared authentication server, instead of a conventional centralized authentication server, as follows.
- the authentication protocol includes communication through which a testifier receives an authentication message from a shared authentication server and communication through which a testifier provides authentication data for an authenticator. This is called "on-line processing.”
- off-line processing As the premise for the performance of the on-line process, a secret key sharing process between the shared authentication server and an apparatus that serves as a testifier or an authenticator and a conversation key generation process by the shared authentication server are necessary. This is called "off-line processing.”
- the off-line processing may be performed each time a secret key or a conversation key is necessary during the on-line processing, but the time required for on-line processing and the communication period are extended.
- Information that must be shared in advance among the members that are the shared authentication servers is information that is related to the secret key for all the apparatuses.
- the secret key that is employed between a testifier and the shared authentication server must be disposed after the encryption or decryption of the message is completed. Thus, many keys have to be generated. This process is performed by the following secret key delivery processing.
- the generation process of shared pseudo-random secret that is employed as a conversation key between a testifier and an authenticator is also performed during the off-line processing as follows.
- Apparatus j of the communication system that requests authentication performs the secret sharing process in advance to share, among the members, sufficiently large number M of pseudo random secrets pkj_1, . . ., pkj_M, which are arbitrarily selected.
- the members AS(i) thus receive the secret portions, pkj_1(i), . . ., pkj_M(i) of the pseudo-random secret. If the apparatus j has not correctly shared the secret, merely the apparatus j does not receive authentication service using its own secret key pkj. Therefore, the post processing for verifying whether or not the shared information is correct is not necessarily performed in this case. Further, a broadcast communication channel across which all the members verify that j does not make a false statement is not necessarily provided between the apparatus j and the members (see Fig. 27).
- shared pseudo-random secrets r1, . . ., rQ that are conversation keys employed between testificrs and authenticators are generated during the off-line processing and held in a list.
- shared pseudo-random secret as is described in the shared pseudo-random secret generation protocol, all the members must perform the sharing processing for pseudo-random secret. However, since all the members do not have to perform that processing at the same time, they may perform the processing when no processing is performed and the communication system is not unused, and share the generated pseudo-random secret to the other members. Then, each member holds, as a list, the shared pseudo-random secret r1(j), . . ., rQ(j) together with the index that indicates its position for use.
- the on-line authentication protocol for acquiring, from a shared authentication server, an authentication element that client P (testifier) of the communication system transmits to server V (authenticator) will be performed by the following steps S1 thorough S4.
- Step 1 The client P transmits, across a normal communication channel to a member that is the shared authentication server, a request message 101 (see Fig. 28A) that includes information ⁇ id_P, id_V, s), which is indicated as AUTH_REQUEST.
- id_P denotes the client P
- id_V denotes data that specifies server V
- s denotes a random number that is arbitrarily selected.
- Step 2 A member that has received AUTH_REQUEST performs the procedures at the following steps S21 through S26 (see Fig. 28B).
- Step 21 A time stamp that indicates the current time is broadcast and the common time is confirmed.
- Step 22 While the shared secret key encryption protocol for the shared secret data is employed, pseudo-random secrets rz, . . ., rz+a-1 that are used as conversation keys ck1, . . ., cka between a testifier and an authenticator are encrypted by defining pkV_x, . . ., pkV_x+a-1 as secret encryption keys.
- a denotes the number of pseudo-random secrets
- z and x denote indexes that represent the beginnings of a pseudo-random list and a secret key pk list.
- the results obtained by encryption are CT_1, . . ., CT_a.
- Step S24 The shared secret key encryption protocol for the shared secret data is employed, and the encrypted statements CT_1, . . ., CT_a+b, for an authenticator, that is obtained at step S23 and the common keys ck1, . . ., cka, which are employed at step S22, are encrypted by employing 2a+b secret keys pkP_y, . . ., pkP_y+2a+b as encryption keys.
- the thus encrypted results are CCT_1, . . ., CCT_2a+b.
- Step S25 The shared secret key encryption protocol for public data is employed, and pseudo-random secret s, which has become public at step S1, and id_V, which is the identifier of an authenticator, are encrypted by 2c secret keys pkP_y, . . ., pkP_y+2c from the secret key list that is employed at step S24.
- the thus encrypted results are CCT_2a+b+1, . . ., CCT_2a+b+c.
- These results are added to the result at step S24 and the final results are CCT_1, . . ., CCT_2a+b+c.
- Step S26 The secret decryption processing is performed to decrypt the secretly shared CCT_1, . . ., CCT_2a+b+c.
- the result obtained by decryption is transmitted as an authentication message 102, together with the index y before it is updated at step S24,, across the normal communication channel to the client P who is a testifier.
- the testifier P refers to received index Y and secret keys pkP_y, ..., pkP_y+2a;b;2c, which are included in his secret key list, and employs the shared secret key decryption protocol for public data to decrypt pseudo-random secret ck from the received data CCT_1, . . ., CCT_2a+b+c. Then, the testifier P verifies that the decrypted s and id_V are correct. When they are verified, the decrypted pseudo-random secret ck is stored as a common key with the authenticator, and transmits a decrypted authentication element 103 to the authenticator V (see Fig. 29A).
- Step 4 By referring to index x, which is included in the authentication element, and secret keys pkV_y, ..., pkV_y+a;2b, which are included in his secret key list, the authenticator V employs the shared secret key decryption protocol for public data to decrypt the time stamp and the identirier id_P of the testifier from the received authentication element, and employs the shared secret key decryption protocol for shared secret data to decrypt pseudo-random secret ck. The authenticator then verifies that the decrypted time stamp and the decrypted identifier id_P are correct. When they are verified, the authentication is given to the testifier P, and the decrypted pseudo-random secret ck is stored as a common key with the authenticator (see Fig. 29B).
- Embodiment 6 when an offending person performs wiretapping on an authentication element that a testifier transmits to an authenticator and stores the authentication element, the offending person submits the authentication element to the authenticator and can request the authenticator for a service that the testifier does not intend to. Therefore, the testifier becomes confused. This act is called a replay attack.
- time information that is exchanged is additionally provided to an authentication element that the testifier transmits to the authenticator at step S3 of the on-line processing in Embodiment 6.
- These procedures are shown in Figs. 30A and 30B.
- the processing in this embodiment is the same as that in Embodiment 6, except that the procedures at steps S3' and S4' are performed in addition to the procedures at steps S3 and S4 of the on-line processing. Only the procedures at steps S3' and S4' will be explained.
- Step S3' After the procedure at step S3 in Embodiment 6 is performed, the testifier employs the obtained conversation key ck and encrypts new time stamp T2 and identifier id_P of the testifier to obtain ⁇ T2, id_P ⁇ ck. The testifier transmits to the authenticator ⁇ T2, id_P) ⁇ ck with the authentication element.
- Step S4' The authenticator performs the procedures at step S4 in Embodiment 6 to decrypt the authentication element, and employs the obtained conversation key ck to decrypt accessory message ⁇ T2, id_P ⁇ ck.
- the authenticator then verifies the time stamp T2 and the identifier id_P of the testifier, and when T2 is the old one, he does not accept the request for a service.
- the shared authentication protocol By the shared authentication protocol, the same authentication function as that of the authentication protocol that is provided by a conventional centralized management is provided for a testifier and an authenticator, and high fault tolerance is realized.
- the on-line processing of the shared authentication protocol can be provided with the same amount of calculation as required for a conventional authentication protocol.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Applications Claiming Priority (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP17848394A JP3604737B2 (ja) | 1994-07-29 | 1994-07-29 | 複数の情報処理装置を有する通信システムにおける秘密情報処理方法及びその通信システム |
JP178483/94 | 1994-07-29 | ||
JP17848394 | 1994-07-29 | ||
JP8184/95 | 1995-01-23 | ||
JP818495 | 1995-01-23 | ||
JP818595 | 1995-01-23 | ||
JP00818495A JP3610106B2 (ja) | 1995-01-23 | 1995-01-23 | 複数の装置を有する通信システムにおける認証方法 |
JP8185/95 | 1995-01-23 | ||
JP7008185A JPH08204697A (ja) | 1995-01-23 | 1995-01-23 | 複数の装置を有する通信システムにおける署名生成方法 |
Publications (3)
Publication Number | Publication Date |
---|---|
EP0695056A2 true EP0695056A2 (fr) | 1996-01-31 |
EP0695056A3 EP0695056A3 (fr) | 1997-05-21 |
EP0695056B1 EP0695056B1 (fr) | 2005-05-11 |
Family
ID=27277924
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP95305211A Expired - Lifetime EP0695056B1 (fr) | 1994-07-29 | 1995-07-26 | Procédé de portage d'une information secrête, de génération d'une signature numérique et de réalisation d'une certification dans un système de communication ayant une pluralité de dispositifs de traitement d'information et système de communication utilisant un tel procédé |
Country Status (7)
Country | Link |
---|---|
US (1) | US5708714A (fr) |
EP (1) | EP0695056B1 (fr) |
KR (1) | KR0148300B1 (fr) |
AT (1) | ATE295644T1 (fr) |
CA (1) | CA2154970C (fr) |
DE (1) | DE69534192T2 (fr) |
HK (1) | HK1011809A1 (fr) |
Families Citing this family (72)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6005938A (en) * | 1996-12-16 | 1999-12-21 | Scientific-Atlanta, Inc. | Preventing replay attacks on digital information distributed by network service providers |
US6055518A (en) * | 1996-02-01 | 2000-04-25 | At&T Corporation | Secure auction systems |
US6671675B2 (en) * | 1996-02-27 | 2003-12-30 | Canon Kabushiki Kaisha | Metering the flow of electronic information |
US6226383B1 (en) * | 1996-04-17 | 2001-05-01 | Integrity Sciences, Inc. | Cryptographic methods for remote authentication |
US6041408A (en) * | 1996-06-28 | 2000-03-21 | Hitachi, Ltd. | Key distribution method and system in secure broadcast communication |
JP3526524B2 (ja) * | 1996-10-31 | 2004-05-17 | 松下電器産業株式会社 | 一方向データ変換装置及び機器認証システム |
US5956402A (en) * | 1997-03-07 | 1999-09-21 | At&T Corp. | Passwordless secure and efficient remote data update |
US5953424A (en) * | 1997-03-18 | 1999-09-14 | Hitachi Data Systems Corporation | Cryptographic system and protocol for establishing secure authenticated remote access |
US6035041A (en) * | 1997-04-28 | 2000-03-07 | Certco, Inc. | Optimal-resilience, proactive, public-key cryptographic system and method |
US6246771B1 (en) * | 1997-11-26 | 2001-06-12 | V-One Corporation | Session key recovery system and method |
JPH11225138A (ja) * | 1998-02-06 | 1999-08-17 | Matsushita Electric Ind Co Ltd | 暗号処理装置、暗号処理方法及びその方法を記録した記録媒体 |
US20050049082A1 (en) * | 1998-03-18 | 2005-03-03 | Callaway Golf Company | Golf ball |
RU2153191C2 (ru) | 1998-09-29 | 2000-07-20 | Закрытое акционерное общество "Алкорсофт" | Способ изготовления вслепую цифровой rsa-подписи и устройство для его реализации (варианты) |
WO2000019652A1 (fr) * | 1998-10-01 | 2000-04-06 | University Of Maryland | Generation et gestion des cles partagees reparties au moyen de cles fractionnaires |
RU2157001C2 (ru) | 1998-11-25 | 2000-09-27 | Закрытое акционерное общество "Алкорсофт" | Способ проведения платежей (варианты) |
KR100545608B1 (ko) * | 1999-03-25 | 2006-01-25 | 유티스타콤코리아 유한회사 | 병렬 분산구조를 갖는 데이터 획득 시스템 |
TW518497B (en) * | 1999-03-30 | 2003-01-21 | Sony Corp | Information processing system |
US7065216B1 (en) | 1999-08-13 | 2006-06-20 | Microsoft Corporation | Methods and systems of protecting digital content |
US6886098B1 (en) * | 1999-08-13 | 2005-04-26 | Microsoft Corporation | Systems and methods for compression of key sets having multiple keys |
WO2001015162A2 (fr) * | 1999-08-13 | 2001-03-01 | Microsoft Corporation | Procedes et systemes de protection des contenus numeriques |
US20020078358A1 (en) * | 1999-08-16 | 2002-06-20 | Neff C. Andrew | Electronic voting system |
US6920221B1 (en) | 1999-08-29 | 2005-07-19 | Intel Corporation | Method and apparatus for protected exchange of status and secret values between a video source application and a video hardware interface |
US7237116B1 (en) | 2000-01-19 | 2007-06-26 | International Business Machines Corporation | Digital signature system and method based on hard lattice problem |
US20030028423A1 (en) * | 2000-03-24 | 2003-02-06 | Neff C. Andrew | Detecting compromised ballots |
US20060085647A1 (en) * | 2000-03-24 | 2006-04-20 | Neff C A | Detecting compromised ballots |
US7099471B2 (en) * | 2000-03-24 | 2006-08-29 | Dategrity Corporation | Detecting compromised ballots |
DE60114833T2 (de) * | 2000-03-24 | 2006-04-13 | Dategrity Corp., Bellevue | Überprüfbare, geheime mischung von verschlüsselten daten wie z. b. elgamal-verschlüsselte daten für gesicherte mehrinstanzwahlen |
US7389250B2 (en) | 2000-03-24 | 2008-06-17 | Demoxi, Inc. | Coercion-free voting scheme |
JP2002190945A (ja) * | 2000-10-12 | 2002-07-05 | Canon Inc | 情報処理装置及びその制御方法及び記憶媒体 |
EP1371169A2 (fr) * | 2001-02-20 | 2003-12-17 | Votehere Inc. | Detection de bulletins de vote compromis |
JP3659178B2 (ja) * | 2001-02-22 | 2005-06-15 | 日本電信電話株式会社 | 分散ディジタル署名作成方法及び装置及び分散ディジタル署名付ディジタル文書作成方法及び装置及び分散ディジタル署名作成プログラム及び分散ディジタル署名作成プログラムを格納した記憶媒体 |
CA2441304C (fr) * | 2001-03-24 | 2005-05-31 | Votehere, Inc. | Melanges secrets verifiables et leur application au vote electronique |
MXPA02011835A (es) * | 2001-03-29 | 2003-10-06 | Matsushita Electric Ind Co Ltd | Sistema de proteccion de datos que proteje datos al encriptar los datos. |
ES2278047T3 (es) * | 2001-04-27 | 2007-08-01 | Betrusted Ireland Limited | Sistema y procedimiento para procesar un secreto compartido. |
FR2825877B1 (fr) * | 2001-06-12 | 2003-09-19 | Canal Plus Technologies | Procede de controle d'acces a un programme crypte |
US7287156B2 (en) * | 2001-06-29 | 2007-10-23 | International Business Machines Corporation | Methods, systems and computer program products for authentication between clients and servers using differing authentication protocols |
CN1207867C (zh) * | 2001-09-28 | 2005-06-22 | 中国科学院研究生院 | 一种安全的数字签名系统及其数字签名方法 |
JP3997085B2 (ja) * | 2001-12-28 | 2007-10-24 | キヤノン株式会社 | 画像生成装置 |
US7349538B2 (en) * | 2002-03-21 | 2008-03-25 | Ntt Docomo Inc. | Hierarchical identity-based encryption and signature schemes |
US7979712B2 (en) * | 2002-07-01 | 2011-07-12 | International Business Machines Corporation | Network system, server and information terminal for list matching |
KR100936606B1 (ko) * | 2002-10-02 | 2010-01-13 | 엘지전자 주식회사 | 냉장고의 메탈 플레이트 제조 방법 |
JP2005140823A (ja) * | 2003-11-04 | 2005-06-02 | Sony Corp | 情報処理装置、制御方法、プログラム、並びに記録媒体 |
US7698557B2 (en) * | 2003-12-22 | 2010-04-13 | Guardtime As | System and method for generating a digital certificate |
CN100393034C (zh) * | 2004-04-30 | 2008-06-04 | 北京航空航天大学 | 一种应用于组播通信系统中的源认证方法 |
JP4748774B2 (ja) * | 2004-06-02 | 2011-08-17 | キヤノン株式会社 | 暗号化通信方式及びシステム |
US20050273609A1 (en) * | 2004-06-04 | 2005-12-08 | Nokia Corporation | Setting up a short-range wireless data transmission connection between devices |
WO2005122049A2 (fr) * | 2004-06-07 | 2005-12-22 | Dategrity Corporation | Systemes et procedes cryptographiques, notamment verification d'intentions pratiques de grande certitude, par exemple pour des votes cryptes dans le cadre d'une election electronique |
US8151348B1 (en) * | 2004-06-30 | 2012-04-03 | Cisco Technology, Inc. | Automatic detection of reverse tunnels |
US7512237B1 (en) | 2004-10-26 | 2009-03-31 | Lockheed Martin Corporation | Encryption for optical communications using dynamic subcarrier multiplexing |
US7536016B2 (en) * | 2004-12-17 | 2009-05-19 | Microsoft Corporation | Encrypted content data structure package and generation thereof |
EP1884059A2 (fr) * | 2005-05-13 | 2008-02-06 | Temple University of the Commonwealth System of Higher Education | Technique de partage de secrets avec faible contenu d'information de service |
US20070143216A1 (en) * | 2005-12-16 | 2007-06-21 | Benaloh Josh D | Data Signal with a Database and a Compressed Key |
US10303783B2 (en) * | 2006-02-16 | 2019-05-28 | Callplex, Inc. | Distributed virtual storage of portable media files |
US8996586B2 (en) * | 2006-02-16 | 2015-03-31 | Callplex, Inc. | Virtual storage of portable media files |
JP4304215B2 (ja) * | 2007-03-23 | 2009-07-29 | 株式会社東芝 | 秘密分散装置、方法及びプログラム |
JP4334582B2 (ja) * | 2007-06-26 | 2009-09-30 | 株式会社東芝 | 秘密分散装置、方法及びプログラム |
US8151333B2 (en) * | 2008-11-24 | 2012-04-03 | Microsoft Corporation | Distributed single sign on technologies including privacy protection and proactive updating |
US9124423B2 (en) * | 2010-05-14 | 2015-09-01 | International Business Machines Corporation | Iterative data secret-sharing transformation |
JP5379914B2 (ja) * | 2010-07-23 | 2013-12-25 | 日本電信電話株式会社 | 秘密分散システム、分散装置、分散管理装置、取得装置、秘密分散方法、プログラム、及び記録媒体 |
US8914635B2 (en) * | 2011-07-25 | 2014-12-16 | Grey Heron Technologies, Llc | Method and system for establishing secure communications using composite key cryptography |
ES2959510T3 (es) | 2011-10-21 | 2024-02-26 | Icu Medical Inc | Sistema de actualización de dispositivos médicos |
US9092780B2 (en) * | 2012-02-13 | 2015-07-28 | PivotCloud, Inc. | User-mediator monitoring and controlling access to electronic content |
EP3021518B1 (fr) * | 2013-08-22 | 2018-04-18 | Nippon Telegraph And Telephone Corporation | Système d'authentification sécurisée multipartite, serveur d'authentification, serveur intermédiaire, procédé d'authentification sécurisée multipartite et programme |
EP3039596A4 (fr) | 2013-08-30 | 2017-04-12 | Hospira, Inc. | Système et procédé de surveillance et de gestion d'un régime de perfusion à distance |
US9539383B2 (en) | 2014-09-15 | 2017-01-10 | Hospira, Inc. | System and method that matches delayed infusion auto-programs with manually entered infusion programs and analyzes differences therein |
US10333696B2 (en) | 2015-01-12 | 2019-06-25 | X-Prime, Inc. | Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency |
US10505723B1 (en) | 2017-04-26 | 2019-12-10 | Wells Fargo Bank, N.A. | Secret sharing information management and security system |
WO2020027758A2 (fr) | 2018-08-03 | 2020-02-06 | Istanbul Teknik Universitesi | Systèmes et procédés de génération de clés partagées, d'authentification d'identité et de transmission de données reposant sur la transmission simultanée par des canaux sans fil à accès multiples |
CN110321735B (zh) * | 2019-04-29 | 2021-04-13 | 山东工商学院 | 基于零知识证明的业务办理方法、系统及存储介质 |
NZ782916A (en) * | 2019-05-08 | 2024-02-23 | Icu Medical Inc | Threshold signature based medical device management |
EP3767511B1 (fr) * | 2019-07-19 | 2021-08-25 | Siemens Healthcare GmbH | Exécution sécurisée de mises à jour de données de paramètres |
CN116506232B (zh) * | 2023-06-28 | 2023-10-10 | 南京畅洋科技有限公司 | 基于信道编码的大容量物联网隐蔽信道构建方法 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0502712B1 (fr) * | 1991-03-05 | 2000-05-31 | Canon Kabushiki Kaisha | Dispositif de calcul et méthode de chiffrement/déchiffrement de données de communication en faisant usage de celui-ci |
US5276737B1 (en) * | 1992-04-20 | 1995-09-12 | Silvio Micali | Fair cryptosystems and methods of use |
IL102394A (en) * | 1992-07-02 | 1996-08-04 | Lannet Data Communications Ltd | Method and apparatus for secure data transmission |
US5469507A (en) * | 1994-03-01 | 1995-11-21 | International Business Machines Corporation | Secure communication and computation in an insecure environment |
US5553145A (en) * | 1995-03-21 | 1996-09-03 | Micali; Silvia | Simultaneous electronic transactions with visible trusted parties |
-
1995
- 1995-07-26 AT AT95305211T patent/ATE295644T1/de not_active IP Right Cessation
- 1995-07-26 DE DE69534192T patent/DE69534192T2/de not_active Expired - Lifetime
- 1995-07-26 US US08/507,524 patent/US5708714A/en not_active Expired - Lifetime
- 1995-07-26 EP EP95305211A patent/EP0695056B1/fr not_active Expired - Lifetime
- 1995-07-28 CA CA002154970A patent/CA2154970C/fr not_active Expired - Fee Related
- 1995-07-29 KR KR1019950023701A patent/KR0148300B1/ko not_active IP Right Cessation
-
1998
- 1998-12-04 HK HK98112822A patent/HK1011809A1/xx not_active IP Right Cessation
Non-Patent Citations (4)
Title |
---|
ADVANCES IN CRYPTOLOGY - CRYPTO '89. PROCEEDINGS, SANTA BARBARA, CA, USA, 20-24 AUG. 1989, ISBN 3-540-97317-6, 1990, BERLIN, WEST GERMANY, SPRINGER-VERLAG, WEST GERMANY, pages 286-298, XP002018655 CHI-SUNG LAIH ET AL: "Dynamic threshold scheme based on the definition of cross-product in an N-dimensional linear space" * |
ADVANCES IN CRYPTOLOGY - CRYPTO '91. PROCEEDINGS, SANTA BARBARA, CA, USA, 11-15 AUG. 1991, ISBN 3-540-55188-3, 1992, BERLIN, GERMANY, SPRINGER-VERLAG, GERMANY, pages 457-469, XP000269043 DESMEDT Y ET AL: "Shared generation of authenticators and signatures" * |
IEEE INFOCOM '92: CONFERENCE ON COMPUTER COMMUNICATIONS. ELEVENTH ANNUAL JOINT CONFERENCE OF THE IEEE COMPUTER AND COMMUNICATIONS SOCIETIES (CAT. NO.92CH3133-6), FLORENCE, ITALY, 4-8 MAY 1992, ISBN 0-7803-0602-3, 1992, NEW YORK, NY, USA, IEEE, USA, pages 2045-2054 vol.3, XP000300331 DESMEDT Y ET AL: "Multi-receiver/multi-sender network security: efficient authenticated multicast/feedback" * |
IEICE TRANSACTIONS ON FUNDAMENTALS OF ELECTRONICS, COMMUNICATIONS AND COMPUTER SCIENCES, APRIL 1993, JAPAN, vol. E76-A, no. 4, ISSN 0916-8508, pages 532-545, XP000378281 CERECEDO M ET AL: "Efficient and secure multiparty generation of digital signatures based on discrete logarithms" * |
Also Published As
Publication number | Publication date |
---|---|
US5708714A (en) | 1998-01-13 |
EP0695056B1 (fr) | 2005-05-11 |
DE69534192D1 (de) | 2005-06-16 |
CA2154970C (fr) | 1999-07-27 |
KR0148300B1 (ko) | 1998-08-17 |
CA2154970A1 (fr) | 1996-01-30 |
KR960006385A (ko) | 1996-02-23 |
HK1011809A1 (en) | 1999-07-16 |
ATE295644T1 (de) | 2005-05-15 |
EP0695056A3 (fr) | 1997-05-21 |
DE69534192T2 (de) | 2006-02-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5708714A (en) | Method for sharing secret information and performing certification in a communication system that has a plurality of information processing apparatuses | |
EP0735723B1 (fr) | Procédé et dispositif de communication cryptographique | |
US5313521A (en) | Key distribution protocol for file transfer in the local area network | |
US5907618A (en) | Method and apparatus for verifiably providing key recovery information in a cryptographic system | |
US5124117A (en) | Cryptographic key distribution method and system | |
Shoup et al. | Securing threshold cryptosystems against chosen ciphertext attack | |
US6298153B1 (en) | Digital signature method and information communication system and apparatus using such method | |
EP0916209B1 (fr) | Systeme de recuperation de cles de chiffrement | |
CN111342976B (zh) | 一种可验证的理想格上门限代理重加密方法及系统 | |
US6697488B1 (en) | Practical non-malleable public-key cryptosystem | |
US11870891B2 (en) | Certificateless public key encryption using pairings | |
US7200752B2 (en) | Threshold cryptography scheme for message authentication systems | |
US7171559B1 (en) | Method of exchanging digital data | |
US9544144B2 (en) | Data encryption | |
EP1366594A2 (fr) | Schema cryptographique a seuil destine a des systemes d'authentification de message | |
US7080255B1 (en) | Secret key generation method, encryption method, and cryptographic communications method and system | |
US20220038267A1 (en) | Methods and devices for secured identity-based encryption systems with two trusted centers | |
US6724893B1 (en) | Method of passing a cryptographic key that allows third party access to the key | |
JPH0846607A (ja) | 複数の情報処理装置を有する通信システムにおける秘密情報処理方法及びその通信システム | |
JP3610106B2 (ja) | 複数の装置を有する通信システムにおける認証方法 | |
AU702563B2 (en) | A method for sharing secret information, generating a digital signature, and performing certification in a communication system that has a plurality of information processing apparatuses and a communication system that employs such a method | |
JP2004246350A (ja) | 暗号化装置および復号化装置、並びにこれらを備えた暗号システム、暗号化方法および復号化方法 | |
Hwang | Scheme for secure digital mobile communications based on symmetric key cryptography | |
Abe et al. | A key escrow scheme with time-limited monitoring for one-way communication | |
JPH08204697A (ja) | 複数の装置を有する通信システムにおける署名生成方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE |
|
PUAL | Search report despatched |
Free format text: ORIGINAL CODE: 0009013 |
|
AK | Designated contracting states |
Kind code of ref document: A3 Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE |
|
17P | Request for examination filed |
Effective date: 19971002 |
|
17Q | First examination report despatched |
Effective date: 20021204 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050511 Ref country code: LI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050511 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRE;WARNING: LAPSES OF ITALIAN PATENTS WITH EFFECTIVE DATE BEFORE 2007 MAY HAVE OCCURRED AT ANY TIME BEFORE 2007. THE CORRECT EFFECTIVE DATE MAY BE DIFFERENT FROM THE ONE RECORDED.SCRIBED TIME-LIMIT Effective date: 20050511 Ref country code: CH Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050511 Ref country code: BE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050511 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050511 |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REF | Corresponds to: |
Ref document number: 69534192 Country of ref document: DE Date of ref document: 20050616 Kind code of ref document: P |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20050726 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050811 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050811 Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050811 |
|
REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1011809 Country of ref document: HK |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20050822 |
|
NLV1 | Nl: lapsed or annulled due to failure to fulfill the requirements of art. 29p and 29m of the patents act | ||
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
ET | Fr: translation filed | ||
26N | No opposition filed |
Effective date: 20060214 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20110804 Year of fee payment: 17 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20110726 Year of fee payment: 17 Ref country code: DE Payment date: 20110731 Year of fee payment: 17 |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20120726 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: ST Effective date: 20130329 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20120731 Ref country code: DE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20130201 Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20120726 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R119 Ref document number: 69534192 Country of ref document: DE Effective date: 20130201 |